Federated SSO FAQs
Before Registration
How does the Equinix self-service federation process work?
Once the federation setup is complete, any user from the customer organization can visit the Equinix federation URL or log in via federation from the Equinix unified login page. The user then must enter their organization's email address. Based on the email domain provided, the user is redirected to the organization's identity provider page for authentication. Once authenticated, the user can access the appropriate Equinix portals.
On the customer side, what is needed to configure federation?
The company administrator should work with your organization's internal security team to determine the Single Sign-On (SSO) configuration. The company administrator then must submit the federation request using the Self-Service Federation application. Enter the required federation information on the subsequent screens to complete the setup request.
Which federation protocols does Equinix support?
Currently, Equinix supports SAML 2.0 for federation. Equinix can federate with any Identity Provider (IdP) that supports the SAML 2.0 protocol. In the future, Equinix may support other protocols like OIDC, as needed.
Which Identity Provider (IdP) vendors are supported?
We support any IdP vendor that supports SAML2.
Which user attributes are required in the SAML response?
The SAML subject must contain the email address attribute. Any user attribute other than email address is not required and will be ignored. Ensure that the primary email address in the ECP profile matches the organization's email address for every user that wants to log in via federation.
Which binding is required in the SAML?
Equinix federation only supports POST binding.
Where can I download the Equinix SAML metadata?
Click the Download button on the top-right corner of the federation portal.
What information do I need to begin the federation process?
You need to provide an email domain for your organization and the SAML metadata. A digital certificate is required if the metadata file does not contain a digital certificate. If you do not want to upload the metadata file or if there is any issue with the metadata file update, manually provide the Entity ID and the SSO URL of the organization, and then upload a digital certificate on the next screen.
During Registration
What do I enter for the email domain field?
Enter the email domain for your organization (for example, if the email address for your organization is user@acme.com, enter acme.com). If you need to enter multiple domains, separate them with a comma (for example, if email addresses are user@acme.com and user@acme.co.eu, enter acme.com, acme.co.eu in the domain field).
What do I enter for the Entity ID field?
An Entity ID is a globally unique name for a SAML entity, i.e., your Identity Provider (IdP) or Service Provider (SP). It is how other services identify your entity. Like any other unique identifiers that you share to interoperate with others, making sure your identifier is clear, unique, and permanent is critical for the successful continued operation of your service(s). Choose your entity ID carefully and deliberately.
What do I enter for the Single Sign on URL field?
Enter your single sign-on URL, where Equinix will redirect users from your organization to log in.
Where can I find Equinix metadata?
See Register for Self Service Federation. After you select the Federated Single Sign-On card, the Federation Registration page appears. This page contains a link to download the Equinix SAML metadata.
After my federation request is provisioned, what do I need to do?
See Verify Federated SSO Configuration.
Can we enable Multi-Factor Authentication (MFA)?
Yes. If your IdP has MFA enabled, users are prompted for MFA authentication when they sign in to the Customer Portal. See Multi-Factor Authentication (MFA).
Managing MFA is the responsibility of the client or IdP.
After Registration
How do I access my federated portals?
Go to the Customer Portal, enter your email address, and click Next. You will be redirected to your organization's login page. Log in with your organization credentials. Once authenticated, users can access the appropriate Equinix portals.
What if I have other questions?
Contact your Equinix representative. They will forward your questions to the federation support team.
How do I disable username and password sign in access after enabling federation?
Add a comment to your federated SSO request to engage with Equinix administrator and issue a request to disable the option to sign in using username and password.
Information to include in your request:
-
Would you like to stop username and password access on the mobile application?
-
Is there a specific date to make the change?
We plan to change our IdP metadata. What do we need to do?
Add a comment to your federated SSO request to engage with Equinix administrator. Provide your updated metadata and, if it is not in the metadata, provide the updated certificate. Updated metadata is required when changing IdPs entirely or when updating your metadata for the same IdP.
How do I enable federation for multiple organizations?
When a federation request is submitted, it applies only to the organization that the company administrator used to sign in. To add additional organizations for federation, add a comment to your federated SSO request to engage with Equinix administrator and get the support to enable federated SSO for multiple organizations.